Improving PCA‐based anomaly detection by using multiple time scale analysis and Kullback–Leibler divergence

SUMMARY The increasing number of network attacks causes growing problems for network operators and users. Thus, detecting anomalous traffic is of primary interest in IP networks management. In this paper, we address the problem considering a method based on PCA for detecting network anomalies. In more detail, this paper presents a new technique that extends the state of the art in PCA-based anomaly detection. Indeed, by means of multi-scale analysis and Kullback–Leibler divergence, we are able to obtain great improvements with respect to the performance of the ‘classical’ approach. Moreover, we also introduce a method for identifying the flows responsible for an anomaly detected at the aggregated level. The performance analysis, presented in this paper, demonstrates the effectiveness of the proposed method.Copyright © 2012 John Wiley & Sons, Ltd.

[1]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[2]  Graham Cormode,et al.  An improved data stream summary: the count-min sketch and its applications , 2004, J. Algorithms.

[3]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[4]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[5]  Jennifer Rexford,et al.  Sensitivity of PCA for traffic anomaly detection , 2007, SIGMETRICS '07.

[6]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[7]  Ramesh Govindan,et al.  Detection and identification of network anomalies using sketch subspaces , 2006, IMC '06.

[8]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[9]  Noureddine Boudriga,et al.  Intrusion detection and tolerance: A global scheme , 2008 .

[10]  Christophe Diot,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM.

[11]  Yang Xiao,et al.  Integration of mobility and intrusion detection for wireless ad hoc networks , 2007, Int. J. Commun. Syst..

[12]  Xiangliang Zhang,et al.  A Novel Intrusion Detection Method Based on Principle Component Analysis in Computer Security , 2004, ISNN.

[13]  Konstantina Papagiannaki,et al.  Structural analysis of network traffic flows , 2004, SIGMETRICS '04/Performance '04.

[14]  Symeon Papavassiliou,et al.  Improving network anomaly detection effectiveness via an integrated multi-metric-multi-link (M3L) PCA-based approach , 2009, Secur. Commun. Networks.

[15]  Christian Callegari,et al.  A novel multi time-scales PCA-based anomaly detection system , 2010, Proceedings of the 2010 International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS '10).

[16]  Ruey-Maw Chen,et al.  Effective allied network security system based on designed scheme with conditional legitimate probability against distributed network attacks and intrusions , 2012, Int. J. Commun. Syst..